Eighty percent of websites lack DMARC policies to protect against spoofing: Report

Nearly 80% of websites have no DMARC (Domain-based Message Authentication, Reporting & Conformance) policy in place, increasing the odds that their domain will be spoofed and used for phishing attacks on customers, a report titled Global DMARC Adoption 2019 by 250ok, an Indianapolis-based email intelligence platform, released today, said.

DMARC is an email authentication policy and reporting protocol, aimed to better protect domains against fraudulent emails. This is particularly worrying, as 91% of all cyber attacks begin with a phishing email, the report said. DMARC is considered the industry standard for email authentication to prevent attacks in which hackers send malicious emails via counterfeit web addresses,it added.

Given the information available on the risks associated with leaving your domain unprotected, it’s shocking the number of brands that still don’t understand the importance of DMARC,” Matthew Vernhout, director of privacy at 250ok, said in a press release. “Until we reach a place where email receivers require proper authentication on all emails, including DMARC implementation, the onus is on brand leaders to keep their customers and employees safe from phishing.”

The report analyzed 25,700 domains controlled across education, ecommerce, Fortune 500, US government, international nonprofits, financial services, the top 100 law firms, the SaaS 1000, and more.

Of these, Chinese companies were the least likely to adopt any DMARC policy, with 94% of domains having no policy in place, the report found. Nonprofits also overwhelmingly failed to adopt DMARC (91%), despite the fact that they store significant amounts of personal data about donors and volunteers. Only 23% of Fortune 500 companies have some form of DMARC policy on the books as well, the report found. The SaaS 1000 was the best non-public vertical surveyed—out of the 1,000 domains examined, only 54% did not have a DMARC policy.